Hacking BodyBugg fitness sensors to get around subscription fee

This arm cuff is a sensor package which logs data whenever you’re wearing it. It records accelerometer data, skin temperature, and galvanic skin response. That data can then be analyzed to arrive at figures like calories burned. But… The company behind the device seems to have included a way to keep the cash flowing. Once you buy it you can read the data off of the device using a Java program they supply. But you can’t erase the data from the device unless you subscribe to their online service. Once it fills up, it’s useless. [Doug] wasn’t happy with this gotcha, so he reverse engineered the technique used to clear the BodyBugg’s memory.

There had been a few previous attempts at reverse engineering the device but that groundwork didn’t really help [Doug] on his quest. He ended up disassembling the Java classes from the original program. This helped him figure out how to initialize communications. Once there he was happy to find that the device will tell you how to use it. If you issue an invalid command it will respond with a list of all valid commands. Everything you need to get up and running can be found in his github repo.

Hey, looks like the company is closing shop on Jan 31st. So now I have no choice but to figure out how to retrieve, parse, and clear the data from my BodyBugg all on my own. Otherwise, it becomes completely useless. Have you been able to figure it out? I can’t actually make sense of what I have to do. Thanks!

I’d like to think there was a righteous engineer that took a great risk, and left this vulnerable to hacking. Where this is vulnerable the engineer didn’t do his job from the from the viewpoint of management, and investors. Personally I care more about the engineer that I do investors are mere paper holders, and have no other interest in a company, it’s product and the employees that make the product, their only interest is the dividend check. Good companies manufacturing good product, will always have willing investors. While I may never have this product a thank you to Doug for sharing

If too many people hack it, the continuing revenue stream drops to the point where the company no longer makes a profit. It closes up shop and the jobs of everyone involved in production and servicing of the device go *poof*.

Which is a good reason for companies not to use this business model. If I buy a physical item, I own the physical item. I am under no legal or moral obligation to purchase any additional products or services.
Companies need to learn that just because they want to be able to make money doing something a certain way doesn’t mean the rest of the world needs to oblige them. Supply and demand works both ways.

They deserve that. Price the device at a a point where you make profit. Oh wait, your product sucks and is overpriced so people wont buy it at a point where you make profit? Wah, you deserve to go out of business then.

How about just not buying it? These devices are all overhyped garbage anyway. Just so ya can squeeze another 200 calories burned into your workout thru fuzzy math lol. Buy the one that says ya burned the most calories! Like others have said, kudos to the engineer on this one for leaving the door open.

And that is why I haven’t bought a smartphone…
In order to sync a “smart”phone to my existing M$ Outlook[calendar,contacts] I was told I needed a $30(USD)/month subscription. Therefore I’d need to pay $360/year to have the same functionality I currently have with my “dumb”phone and my PDA (purchased for $10(USD)(used) several years ago. I admit, there is no direct link between my PDA and the phone to enable the phone to dial directly from an Outlook contact, but the 3 or 4 times I need to do it each year are less “inconvenient” than $360 for the same time period.

In case no one else tells you today, “You rock!” As a former razr/palmer myself, keep up the good times and skweezer for all of those pesky newfangled sites! I wish I remembered my final setup but after the initial setup, it worked pretty darn well. The wife got annoyed with syncing, though and eventually we replaced our phones with another round of dumbphones. Like yourself, the data plans are just not worth it to us as our cable internet is fing 50 bux a month (and I have a problem with that lol). Anyway, keep on keeping on man!

In my opinion these kind devices are not really worth hacking.
They should only be brought back to the shop for a refund.
I did the same with my squeezebox about a year ago, it was not possible to use that thing without a subscription from logitech.

I’m using eclipse to build the software, the only source file you need is the bodybuggbypass.java file. Just create a new java project and in the project properties add the external jars to the build path, should compile and run without too much fiddling.

Thanks to that engineer, after the company will go bankrupt (all companies will, eventually) some of their products won’t become paperweights or – much worse – environmental hazards like most closed-hardware electronics do.

Oh come one we have all left that stuff in to help us with development/debugging… The company won’t lose a dime because those of us that will bother to hack it wouldn’t pay for the service anyhow. Now off to eBay to find one ;-)

This is not the first work on this device. The bodybugg and other rebadged versions (gofit, etc) were hacked a while ago with a simple program called freethebugg (search for it on facebook, no, really, facebook). Although the work done here definitely delves more into the nuts and bolts though. My wife and I have been using the freethebugg software for a while to use a second hand bodybugg without a subscription.

Also, part of the reason the device might be so hacker friendly is that they actually licence the technology to other companies, making it more friendly for them to implement/change features is good business on that end.

The flaw he found in FreeTheBugg was that it was taken down from Google. I suggested looking it up on facebook where they provide current links to the program. FreeTheBugg is more useful in that it is fully developed and parses the data into useful information such as calories burned.

Encompassing something like this in law gives it all kinds of additional problems. Which government agency becomes responsible for the enforcement of this law? How long is a company forced to provide support for a device? Who does it apply to? Companies? OSHW developers? What happens if the only software being made for a device is being made by an independent developer? Is he required by law to distribute it?

Remember, this is a product that is available for voluntary purchase. No one is being forced into this.

In truth, a lot of these problems are those faced by Public Domain works (which is another discussion entirely). Obligating individuals by law is very often a poor solution.

Simple:
The Fcc.
The companies are not forced to support a simple hardware device, but an online only service should have a minimum of x number of years, except in cases of actual bankruptcy (if they have a parent company, the parent company must take over).
It applies to anyone selling a device with a stated purpose. Hell, it’s already called “implied warranty of merchantability”.
Yes, they would be required to provide software for said purpose if said purpose only works like that.

In practice, it is simple. Device x does y. Provide software/cd for said device. Software should not have a killswitch after x number of years. They don’t have to update it, it just has to work as stated on the intended os. My copy of photoshop 3 might be obsolete by a few generations of computer upgrades now, but If I pull out my old apple performa, I can still run it. I can still install Windows XP on any Pentium 3 computer. It’s not hard that SOMETHING SHOULD WORK AS DESCRIBED WITHOUT ARTIFICIAL LIMITATIONS. If I buy a camera today, it damn well better work with the same software on a computer 20 years from now, unless the camera or the computer physically break. This is no different.

Look at MMORPG. They plainly state that a, online service is required, b, subscription is required, c, that it is limited to how ever long they decide to run a server.
If Bodybugg put that on their packaging, in not-fine print, then they would be safe.

i meant more of a
“you can not sue me for buying AND USING a used product”
… even if the original disk was destroyed, outdated, ect

as in make it LEGAL to resell software ONLY IF ACCOMPANIED WITH ORIGINAL HARDWARE

as in most software is ORIGINAL PURCHASER ONLY
second hand sale is illegal, but should not be, if the only thing the software does is communicate with a specific hardware device… one that has been paid for

It’s more like: Insert real coin, get can, then notice that you can only drink from can by paying 5 cents a sip.

Therefore: break open can.

They’re sneaky bastards. When going to the buying page, they mention the subscription fee in tiny font on the bottom: “**bodybuggSP personal calorie management system includes 6 months online subscription. Online subscription renewal fee is $6.95 for month to month.” And that is not even specifically saying the device will be useless without the fee. This is very close to misleading advertising.

Body Media argues that they add the monthly value to your use of the device by continuing to refine the report of what you get out of your device. For instance, not too long ago they took their development team to spend time with the devices on execise bikes so they could improve the accuracy of the output you get from that (they have been notoriously inaccurate on exercise bikes and elliptical machines)

I used a Body Media sensor for 3 months and loved it. My free subscription expired and I wasn’t willing to pay for it. That said, there’s more than just the raw data off the device at work here. It’s reasonable to say that a person could build their own set of algorithms to process the data further. But it’s not just Body Media/24 hr fitness taking everyone for a ride. There are advantages to the subscription model.

This is true, though for people who just want the device and the data it records you kind of get lumped into a more expensive business model. I for example was never interested in calorie calculations, I’m primarily using it for some research I’m doing on sleeping habits and how they’re affected by ambient//body temperature.

I agree completely. I haven’t found the competing products (Fitbit, Nike Fuel, etc) to provide the same level of data. I’m very pleased that you spent the time figuring out how to do this. You’ve provided a significant benefit to the community.

Bemasher: this likely isn’t applicable to your needs;
But I found out , courtesy of the home wintertime T’stat wars and a bit of further noting as a solo occupant,
what my optimum sleep temps were/are.
For me, (Fahrenheit) 65 or below = best sleep.
68 brings active, recallable dreams, that may awaken me during them
and ambient noises easily awaken me.
70 takes it to “common grade” nightmares.
72~73 begins to set off the really bad ones,
truly bizarre stuff that makes the internet look tame.

I have similar “problem” at work. My company is planning home automation server, but it won’t work without a subscription fee (it will connect to company’s servers for easy remote control over internet), what arguments could I use to convince my boss to include “offline” mode where you can have your own server and use it yourself in any way you need?

There are never internet/telco interruptions? If the thing is useless without “calling the mothership” I’d be angry when a storm knocks out the internet connection, and I can’t turn lights on, run heat/ac, etc.

ueh,things like “if provide an open api/decent interface doc you will then actually sell stuff to geeks who will play with it, recommend it to their non tech friend (who will pay the fee seen they don’t want to setup own servers, router config, etc and want to simply use it) and do silly thing with it that is then featured on high trafic sites like Had, make , intructables etc?”
note that i’m not talking about having a dumb down “no sub” mode but allowing people to actually interface with it and mod it/adapt it/etc

Well, if the hardware is designed as a human interface device with just enough ‘brains’ in the house to run essential functions without the outside link, then what he is really selling is the algorithm that is only run on his servers. That algorithm/service is simple to keep a trade secret, so all he has to do is make sure his version is better than any open source version that happens to pop up. Hell…release the API and invite other companies to make compliant devices. Let them worry about hardware development, inventory and supply chain headaches. Then, once you have a huge database of user energy usage stats, sell the whole thing to google and retire.

There are plenty of parts of the US where broadband is not available, you are
stuck using dialup. Don’t know what your market is, but even if it is fancy homes – there are plenty of fancy homes built out in the country.

Security would be another angle. If your system has to be accessible from the internet,
then it is more open to hacking (monitoring by outsiders, or even control by unauthorized users). So being able to run your own server would be selling point for those who are
security conscious, or paranoid.

(After “the big one” it would be a real downer if the zombies got control of your home,
or if you couldn’t use your toys because the companies servers got fried.)

Future proofing – companies come and go. I wouldn’t put my data in a cloud/server/whatever that I couldn’t get it back out of. Likewise, wouldn’t buy a
home automation system, alarm, etc. that I couldn’t keep using after the company goes belly up. Your boss may not like that approach – but there are consumers out there
who think ahead.

The github is missing the actual classes, must be licensing issues. I don’t see any actual protection through the Java code though, looks like it works off a time-stamp checkum in firmware, you change it through the class call and it writes again; class call uses JVM serial class.

I would of disabled OCD and used PKI or ECDSA with server-responses that set bit-fields ^^

Also I think it’s funny everyone flaunts their supposed tech knowledge but show how noob(or never-employed) they are bye realizing all tech funding comes from marketing and business modeling…

I omitted any of the class files BodyMedia created after finding the DMCA notice issued to remove FreeTheBugg’s documentation and source code from google docs. They got it all removed because the FreeTheBugg jar had verbatim copies of the classes from the applet jars used for uploading data to their service.

OK if Bodybugg wanted to charge for updates to their phone app that would have been one thing. Instead they decided if you aren’t subscribed they are going to cripple your device…. Sorry that is just disgusting.

Consider some of the draconian aspects of US intellectual property law regarding organisms (think seeds). In parts of the country you can not grow soy beans from your own saved seed because there are enough other growers that use seed that is certain companies intellectual property so that if your beans get pollinated by their seed, then they haul you in to court for violating their IP. (Even though they are the ones who let their IP blow around in the wind, or be carried off by insects).

Or look at some of the food libel laws. (You have to be really careful what you say about certain types of products.)

I wouldn’t worry about it too much, the MyBasis is twice as expensive and is sold out until christmas. Although it records heart rate optically without any external devices and they’re developing an API to access your data.

I’ve updated the links on both my blog and github to point to the new versions of the jars. However, I’ve not had a chance to test them with the application, so I’m not sure if they’ll work without modifying the code.

bodymedia announced today that they are ending their subscription program and all devices will be essentially inoperable. I know this bypass/hack method doesn’t work any longer. Anyone know of another working way to keep these devices operational?

I too would be interested if someone could revive this project. I would be interested in trying to bypass the login and access the data that comes from the device though I don’t have much time these days as I have to commit most of my time to my full time job. Hopefully, someone will be able to come along and tackle this issue.

For topical reasons, anyone found out something new with regard to a usable hack for the Bodymedia devices? There is a software called “Bodymedia Sensewear” for commercial use (e.g., when u rent the device). Maybe it could also work for our problem?